How to report breaches of confidentiality in eIRB

It is important to report potential breaches of confidentiality to both the Institutional Review Board (irb@ohsu.edu or 503-494-7887 option 2) and the Office for Information Privacy and Security as soon as possible. For the IRB, a breach of confidentiality can be considered an Unanticipated Problem, a Protocol Deviation, or both.

Submit an Unanticipated Problem (UP) report if: The incident was unanticipated and may place subjects or others at a greater risk of harm or discomfort. A confidentiality UP involves any accidental disclosure or potential disclosure of subject information. Disclosures not authorized by the study documents and the IRB’s approval should always be reported. The classic case is a stolen laptop.

Submit a Protocol Deviation (PD) report if: The incident resulted in a deviation from confidentiality protection procedures described in your protocol or study documents. For example, if your protocol states that the code key will be kept in a locked file cabinet separate from the rest of the study records, and your colleague discovers the code key sitting on your desk while you’re out at a meeting, you would submit a PD.

Submit BOTH a UP and a PD if: The incident resulted in a deviation from the protocol’s confidentiality procedures that was unanticipated and may place subjects or others at a greater risk of harm or discomfort. For instance, the PD scenario above also becomes reportable as a UP if the colleague was not associated with the study and the code key was sitting alongside several study files. The stolen laptop UP scenario also becomes reportable as a PD if your protocol describes security measures for transporting data on laptops, and those security measures were not being followed when the laptop was stolen.

The IRB evaluates each reportable event submission to determine whether it meets the regulatory definition of an unanticipated problem involving risks to subjects or others and/or an instance of serious or continuing noncompliance. Both UPs and PDs can sometimes fit either or both of these definitions. If the event meets one or both definitions, corrective actions will likely be required, and the event may need to be reported to certain federal agencies and/or the sponsor of the research, as applicable.

If you are not sure what type of submission is required or whether a particular event is reportable, feel free to contact the Integrity Office for guidance at 503 494-7887, option 1.